Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <1368665710.69661288985786462.JavaMail.root@zmail01.collab.prod.int.phx2.redhat.com>
Date: Fri, 5 Nov 2010 15:36:26 -0400 (EDT)
From: Josh Bressers <bressers@...hat.com>
To: oss-security@...ts.openwall.com
Cc: coley <coley@...re.org>
Subject: Re: CVE Clarification: OpenFabrics ofed stack also
 contains RDS protocol

----- "Marcus Meissner" <meissner@...e.de> wrote:

> Hi,
> 
> The openfabrics remote messaging / dma stack also contains the RDS
> protocol family module (actually it seems to be the originator before it
> came into mainline).
> 
> It is in the ofa_kernel package, and SUSE ships it e.g. in the "ofed"
> packages.
> 
> 
> The net/rds/ code inside of it is pretty much the same as the Linux
> kernel module. It also is autoloading with module aliases.
> 
> CVE-2010-3904 seems to be there up to the latest version after
> looking
> at the code (I tried the 1.4 version).
> 
> CVE-2010-3865 seems to be present in some versions, but not in the
> latest version. Unverified.
> 
> 
> Does this need new CVEs? The projects are different, but the history
> seems clear and the code basically the same.
> 

If the code is the same, then you can reuse the CVE id. We see this for
example when various PDF CVE ids get shared between xpdf and poppler.

If it's the same flaw, but essentially different code, they need new IDs.

>From what you describe, it sounds like they are the same, as your package
is the parent of what upstream currently has.

If you think it needs some though, let me know.

Thanks.

-- 
    JB

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.